Smart Antennas and : Enabling Secure Convergence July 5, 2017
About OpenSynergy OpenSynergy develops software solutions for embedded automotive systems. OpenSynergy s product portfolio includes key software components necessary to create efficient automotive solutions in the areas of: Infotainment Connectivity Driver Information Driver Assistance 2
OpenSynergy Focus Domain Convergence Connected Car Instrument Cluster Head Unit ADAS Connectivity Integration on a single ECU Safety & Security Standardization Towards autonomous cars 3
OpenSynergy Portfolio Products Services COQOS SDK Update SDK Blue SDK Voice SDK -based software integration platform Secure modular software update framework Dual-mode embedded Bluetooth stack Audio processing library Automotive-quality software development services Safety & security Fast-boot and secure boot Linux, Android, AUTOSAR Sharing of devices Complete automotive use-cases out of the box Secure and robust Takes advantage of hypervisor Modular architecture Modular software update Supports complex automotive use-cases Supports latest standard Easy integration Vendor-independent Satisfies automotive requirements Multi-microphone / beam-forming Easy to tune & port Protocol stacks for Car2Cloud (embedded and backend) Product porting and customization Complete ECU software Infotainment Connectivity Driver information Driver assistance All automotive ECUs Infotainment Connectivity Non-automotive Infotainment Connectivity System Supervisor Early Apps, e.g. Rear-View Camera Third party Shared Devices Shared Graphics Shared Driver Secure Boot Modular Boot B o o t l o a d e r OpenSynergy Tier 1 Infotainment Connectivity Driver information Driver assistance 4
Smart Antenna 2.5, 3, 4, 5G (DVB-T2 / ISDB-T) GNSS AM/FM / DAB / DAB+/ DMB / CMB / DRM Bluetooth / WiFi Car2X Single-chip solutions reduce cost, space, weight and thermal management issues. non-safety critical safety critical RTOS 5
What is a hypervisor VM Guest VM Guest Host A hypervisor is a software layer that creates and runs "virtual machines" (VMs). The device on which the hypervisor runs is called the host. Each virtual machine runs a guest Operating System. The hypervisor separates the VMs protects their resources manages their execution provides controlled communication channels between the VMs assure freedom from interference between the VMs. 6
Architecture Applications Applications Applications Applications virt. Guest OS Linux virt. Guest OS Android virt. Guest OS System Other AUTOSAR Supervisor Guest OS IXCF (Inter-X Communication Framework) AUTOSAR OS COQOS Bootloader + Safety Kit Configuration Tooling Development/Debugging 7
Architecture VM VM VM Configuration GIC Timer Driver IXCF Core Services Inter-VM Scheduler Signaling Timer Queues Serial MUX Virtual Firmware Core Devices CPU sharing logic Driver Guest OS virtual Guest Guest Userland UART Firmware Device Device 8 IXCF = Inter-X Communication Framework
Multi Core Support VM A (with two virtual cores) VM B (with one virtual core) VM M (with multiple virtual cores) VM pay loads guest OS scheduler... vcore A.0 vcore A.1 vcore M.0 vcore B.0... vcore M.n COQOS (with multiple physical cores) Core 0 Core 1 Core 2 Core N 9
General challenge of "device sharing" virtualized system: several VMs need to use the services provided by a single device native system Native (single) OS VM Service (send Ethernet frame, use shader on GPU, play audio,...) Service (...) VM Service (...)...? Device Driver Device (Ethernet, WiFi, Bluetooth, GPU, Graphics, Audio,...) Device (Ethernet, WiFi, Bluetooth, GPU, Graphics, Audio,...) 10
Mechanisms for device sharing in device with virtualization support low-level client-server v v device virtdev1 virtdevn IXCF sharing distributed frameworks over VNET framework VNET framework device device 11
Safety and Security Safety guards the World from the car. (Cyber)Security guards the car from the World. As soon as the car is inter-connected with World then security is needed for safety. The technical measures to achieve system safety and security goals are similar. 12
Design Patterns for Safety VM without ASIL requirements... VM that underlies ASIL requirements (ASIL) External MCU External Watchdog (ASIL) Mixed ASIL system according to ISO26262 by: o use a hierarchical watchdog approach o use checking/monitoring strategies wherever possible o use E2E protection in the communication wherever possible freedom from interference to with separated VMs 13
Design Patterns for Security external interfaces attack General Purpose VM... Hardened VM Trusted OS (TEE) External Security Chip (certified) Security features security assurance MILS (Multiple Independent Levels of Security) architecture ensures strong separation between VMs support -specific hardware security support secure software update 14
System Supervisor: watchdog hierarchy HW watchdog System Supervisor hypervisor critical VM critical VM critical VM 15
Strong Separation VM without ASIL requirements / untrusted VM SMMU Controller VM that underlies ASIL requirements / hardened VM COQOS S-MMU Device with DMA SMMU = System MMU, or IO-MMU DMA = Direct Memory Access 16
Secure Boot Boot Loader Trusted OS (optional) 1st VM 2nd VM... Signature Verification Boot process Image verification first and load authorization 17
OP-TEE Support Untrusted VM Untrusted VM Trusted VM OP-TEE (*) Trusted Applications Client Trusted Applications OP-TEE API Crypto API COQOS Private keys Secure World (TrustZone) Normal World Crypto Functions Secure Storage (*) Open Portable Trusted Execution Environment, available from Linaro 18
Software Update update package Untrusted VM Trusted VM Fetcher Updater COQOS 19
Use-Case Smart Antenna 2.5, 3, 4, 5G (DVB-T2 / ISDB-T) GNSS AM/FM / DAB / DAB+/ DMB / CMB / DRM Bluetooth / WiFi Car2X safety critical System Supervisor non-safety critical RTOS Update Single-chip solutions reduce cost, space, weight and thermal management issues. Security is a big concern: separation through a hypervisor provides an additional level of isolation between exposed communication stacks (Car2Cloud) and vehicle systems. Functions with an impact on vehicle safety can be integrated in a separate VM: e.g. a Car2X communication stack with secured communication to ADAS devices in the car. AUTOSAR eases the integration with the vehicle systems. Linux provides easy development and integration of communication stacks. 20